8. Contents
User Authentication for FortiOS 4.0 MR2
8 01-420-122870 -20101019
http://docs.fortinet.com/ • Feedback
9. Introduction
Welcome and thank you for selecting Fortinet products for your network protection.
This chapter contains the following topics:
• Before you begin
• Document conventions
• Entering FortiOS configuration data
• Registering your Fortinet product
• Fortinet products End User License Agreement
• Training
• Documentation
• Customer service and technical support
Before you begin
Before you begin using this guide, please ensure that:
• You have administrative access to the web-based manager and/or CLI.
• The FortiGate unit is integrated into your network.
• The operation mode has been configured.
• The system time, DNS settings, administrator password, and network interfaces have
been configured.
• Firmware, FortiGuard Antivirus and FortiGuard Antispam updates are completed.
While using the instructions in this guide, note that administrators are assumed to be
super_admin administrators unless otherwise specified. Some restrictions will apply to
other administrators.
How this guide is organized
This FortiOS Handbook chapter contains the following sections:
“Introduction to authentication” describes some basic elements and concepts of
authentication.
“Authentication servers” describes external authentication servers and how to configure a
FortiGate unit to use them.
“Users and user groups” describes the different types of user accounts and user groups.
Authenticated access to resources is based on user identities and user groups.
“Configuring authenticated access” provides detailed procedures for setting up
authenticated access in firewall policies and authenticated access to VPNs.
“FSAE for integration with Windows AD or Novell” describes how to install and configure
the Fortinet Server Authentication Extension (FSAE) on network domain controllers and
the FortiGate unit. On the FortiGate unit, Windows AD or Novell network user groups can
be made members of Directory Services user groups. With FSAE, network users have
single sign-on access to resources through the FortiGate unit.
“Certificate-based authentication” describes authentication by means of X.509 certificates.
FortiOS™ Handbook v2: User Authentication
01-420-122870 -20101019 9
http://docs.fortinet.com/ • Feedback
10. Before you begin Introduction
“Monitoring authenticated users” describes the FortiGate unit authenticated user
monitoring screens.
“Example” provides a configuration example in which Windows AD and other network
users are provided authenticated access to the Internet.
User Authentication for FortiOS 4.0 MR2
10 01-420-122870 -20101019
http://docs.fortinet.com/ • Feedback
11. Document conventions
Document conventions
Fortinet technical documentation uses the conventions described below.
IP addresses
To avoid publication of public IP addresses that belong to Fortinet or any other
organization, the IP addresses used in Fortinet technical documentation are fictional and
follow the documentation guidelines specific to Fortinet. The addresses used are from the
private IP address ranges defined in RFC 1918: Address Allocation for Private Internets,
available at http://ietf.org/rfc/rfc1918.txt?number-1918.
Most of the examples in this document use the following IP addressing:
• IP addresses are made up of A.B.C.D
• A - can be one of 192, 172, or 10 - the non-public addresses covered in RFC 1918.
• B - 168, or the branch / device / virtual device number.
• Branch number can be 0xx, 1xx, 2xx - 0 is Head office, 1 is remote, 2 is other.
• Device or virtual device - allows multiple FortiGate units in this address space
(VDOMs).
• Devices can be from x01 to x99.
• C - interface - FortiGate units can have up to 40 interfaces, potentially more than one
on the same subnet
• 001 - 099- physical address ports, and non -virtual interfaces
• 100-255 - VLANs, tunnels, aggregate links, redundant links, vdom-links, etc.
• D - usage based addresses, this part is determined by what device is doing
• The following gives 16 reserved, 140 users, and 100 servers in the subnet.
• 001 - 009 - reserved for networking hardware, like routers, gateways, etc.
• 010 - 099 - DHCP range - users
• 100 - 109 - FortiGate devices - typically only use 100
• 110 - 199 - servers in general (see later for details)
• 200 - 249 - static range - users
• 250 - 255 - reserved (255 is broadcast, 000 not used)
• The D segment servers can be farther broken down into:
• 110 - 119 - Email servers
• 120 - 129 - Web servers
• 130 - 139 - Syslog servers
• 140 - 149 - Authentication (RADIUS, LDAP, TACACS+, FSAE, etc)
• 150 - 159 - VoIP / SIP servers / managers
• 160 - 169 - FortiAnalyzers
• 170 - 179 - FortiManagers
• 180 - 189 - Other Fortinet products (FortiScan, FortiDB, etc.)
• 190 - 199 - Other non-Fortinet servers (NAS, SQL, DNS, DDNS, etc.)
• Fortinet products, non-FortiGate, are found from 160 - 189.
FortiOS™ Handbook v2
01-420-99686-20101019 11
http://docs.fortinet.com/ • Feedback
12. Document conventions
The following table shows some examples of how to choose an IP number for a device
based on the information given. For internal and dmz, it is assumed in this case there is
only one interface being used.
Table 1: Examples of the IP numbering
Location and device Internal Dmz External
Head Office, one FortiGate 10.011.101.100 10.011.201.100 172.20.120.191
Head Office, second FortiGate 10.012.101.100 10.012.201.100 172.20.120.192
Branch Office, one FortiGate 10.021.101.100 10.021.201.100 172.20.120.193
Office 7, one FortiGate with 9 10.079.101.100 10.079.101.100 172.20.120.194
VDOMs
Office 3, one FortiGate, web n/a 10.031.201.110 n/a
server
Bob in accounting on the 10.0.11.101.200 n/a n/a
corporate user network (dhcp)
at Head Office, one FortiGate
Router outside the FortiGate n/a n/a 172.20.120.195
FortiOS 4.0 MR2
12 01-420-99686-20101019
http://docs.fortinet.com/ • Feedback
13. Document conventions
Example Network configuration
The network configuration shown in Figure 1 or variations on it is used for many of the
examples in this document. In this example, the 172.20.120.0 network is equivalent to the
Internet. The network consists of a head office and two branch offices.
Figure 1: Example network configuration
WLAN: 10.12.101.100
SSID: example.com
Password: supermarine
DHCP range: 10.12.101.200-249
Linux PC
10.11.101.20
IN
10 T
.11
.10
FortiWiFi-80CM 1.1
01
Windows PC
10.11.101.10
Internal network 10
.11
.10 Po
1.1 rt 2
02
P P
10 ort 2 17 ort 1
.11 10 2.2 (s
.10 .11 0 . 1 n i ff
1.1 Switch .10 Po 20 er
FortiAnalyzer-100B 30 1.1 rt 2 FortiGate-82C .14 mo
00 1 de
)
10
.11
.10 Por
1.1 t 1
10 P
17 ort 1 3)
2.2 nd
0.1 2a
20 s
FortiGate-620B
.14
1 p ort
f
Po rt 8 r o
HA cluster
an rt 2 Po mirro
FortiMail-100C d3 (
rt 1
Po
Switch
He
ad
o ff
ice
P
10 ort 1
.21
.10
FortiGate-3810A 1.1
01
Linux PC 17
2.2
10.21.101.10 Bra 0.1
20 WAN
nch Bra .12 1
o ff nch 2
ice o ff
ice I
10 ntern
.31 al
.10
FortiGate-51B 1.1
0 0
60
1.1
rt 1 10
Po 0.21.
1
Windows PC
10.31.101.10
FortiManager-3000B
rt 4
Po .100
01
.2 2.1
10 Cluster
Port 1: 10.21.101.102
FortiGate-5005FA2
Port 1: 10.21.101.102
FortiGate-5005FA2
Port 1: 10.21.101.103
FortiSwitch-5003A
Port 1: 10.21.101.161
FortiGate-5050-SM
Port 1: 10.21.101.104
Engineering network
10.22.101.0
FortiOS™ Handbook v2
01-420-99686-20101019 13
http://docs.fortinet.com/ • Feedback
14. Document conventions
Cautions, Notes and Tips
Fortinet technical documentation uses the following guidance and styles for cautions,
notes and tips.
Caution: Warns you about commands or procedures that could have unexpected or
undesirable results including loss of data or damage to equipment.
Note: Presents useful information, but usually focused on an alternative, optional method,
such as a shortcut, to perform a step.
Tip: Highlights useful additional information, often tailored to your workplace activity.
FortiOS 4.0 MR2
14 01-420-99686-20101019
http://docs.fortinet.com/ • Feedback
15. Document conventions
Typographical conventions
Fortinet documentation uses the following typographical conventions:
Table 2: Typographical conventions in Fortinet technical documentation
Convention Example
Button, menu, text box, From Minimum log level, select Notification.
field, or check box label
CLI input config system dns
set primary <address_ipv4>
end
CLI output FGT-602803030703 # get system settings
comments : (null)
opmode : nat
Emphasis HTTP connections are not secure and can be intercepted by a third
party.
File content <HTML><HEAD><TITLE>Firewall
Authentication</TITLE></HEAD>
<BODY><H4>You must authenticate to use this
service.</H4>
Hyperlink Visit the Fortinet Technical Support web site,
https://support.fortinet.com.
Keyboard entry Type a name for the remote VPN peer or client, such as
Central_Office_1.
Navigation Go to VPN > IPSEC > Auto Key (IKE).
Publication For details, see the FortiOS Handbook.
CLI command syntax conventions
This guide uses the following conventions to describe the syntax to use when entering
commands in the Command Line Interface (CLI).
Brackets, braces, and pipes are used to denote valid permutations of the syntax.
Constraint notations, such as <address_ipv4>, indicate which data types or string
patterns are acceptable value input.
Table 3: Command syntax notation
Convention Description
Square brackets [ ] A non-required word or series of words. For example:
[verbose {1 | 2 | 3}]
indicates that you may either omit or type both the verbose word and
its accompanying option, such as:
verbose 3
FortiOS™ Handbook v2
01-420-99686-20101019 15
http://docs.fortinet.com/ • Feedback
16. Document conventions
Table 3: Command syntax notation (Continued)
Convention Description
Angle brackets < > A word constrained by data type.
To define acceptable input, the angled brackets contain a descriptive
name followed by an underscore ( _ ) and suffix that indicates the
valid data type. For example:
<retries_int>
indicates that you should enter a number of retries, such as 5.
Data types include:
• <xxx_name>: A name referring to another part of the
configuration, such as policy_A.
• <xxx_index>: An index number referring to another part of the
configuration, such as 0 for the first static route.
• <xxx_pattern>: A regular expression or word with wild cards
that matches possible variations, such as *@example.com to
match all email addresses ending in @example.com.
• <xxx_fqdn>: A fully qualified domain name (FQDN), such as
mail.example.com.
• <xxx_email>: An email address, such as
admin@mail.example.com.
• <xxx_url>: A uniform resource locator (URL) and its associated
protocol and host name prefix, which together form a uniform
resource identifier (URI), such as
http://www.fortinet./com/.
• <xxx_ipv4>: An IPv4 address, such as 192.168.1.99.
• <xxx_v4mask>: A dotted decimal IPv4 netmask, such as
255.255.255.0.
• <xxx_ipv4mask>: A dotted decimal IPv4 address and netmask
separated by a space, such as
192.168.1.99 255.255.255.0.
• <xxx_ipv4/mask>: A dotted decimal IPv4 address and
CIDR-notation netmask separated by a slash, such as such as
192.168.1.99/24.
• <xxx_ipv6>: A colon( : )-delimited hexadecimal IPv6 address,
such as 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234.
• <xxx_v6mask>: An IPv6 netmask, such as /96.
• <xxx_ipv6mask>: An IPv6 address and netmask separated by a
space.
• <xxx_str>: A string of characters that is not another data type,
such as P@ssw0rd. Strings containing spaces or special
characters must be surrounded in quotes or use escape
sequences.
• <xxx_int>: An integer number that is not another data type,
such as 15 for the number of minutes.
FortiOS 4.0 MR2
16 01-420-99686-20101019
http://docs.fortinet.com/ • Feedback
17. Entering FortiOS configuration data
Table 3: Command syntax notation (Continued)
Convention Description
Curly braces { } A word or series of words that is constrained to a set of options
delimited by either vertical bars or spaces.
You must enter at least one of the options, unless the set of options is
surrounded by square brackets [ ].
Options Mutually exclusive options. For example:
delimited by {enable | disable}
vertical bars | indicates that you must enter either enable or disable, but must
not enter both.
Options Non-mutually exclusive options. For example:
delimited by {http https ping snmp ssh telnet}
spaces indicates that you may enter all or a subset of those options, in any
order, in a space-delimited list, such as:
ping https ssh
Note: To change the options, you must re-type the entire list. For
example, to add snmp to the previous example, you would type:
ping https snmp ssh
If the option adds to or subtracts from the existing list of options,
instead of replacing it, or if the list is comma-delimited, the exception
will be noted.
Entering FortiOS configuration data
The configuration of a FortiGate unit is stored as a series of configuration settings in the
FortiOS configuration database. To change the configuration you can use the web-based
manager or CLI to add, delete or change configuration settings. These configuration
changes are stored in the configuration database as they are made.
Individual settings in the configuration database can be text strings, numeric values,
selections from a list of allowed options, or on/off (enable/disable).
Entering text strings (names)
Text strings are used to name entities in the configuration. For example, the name of a
firewall address, administrative user, and so on. You can enter any character in a
FortiGate configuration text string except, to prevent Cross-Site Scripting (XSS)
vulnerabilities, text strings in FortiGate configuration names cannot include the following
characters:
" (double quote), & (ampersand), ' (single quote), < (less than) and < (greater than)
You can determine the limit to the number of characters that are allowed in a text string by
determining how many characters the web-based manager or CLI allows for a given name
field. From the CLI, you can also use the tree command to view the number of
characters that are allowed. For example, firewall address names can contain up to 64
characters. When you add a firewall address to the web-based manager you are limited to
entering 64 characters in the firewall address name field. From the CLI you can do the
following to confirm that the firewall address name field allows 64 characters.
config firewall address
tree
-- [address] --*name (64)
|- subnet
|- type
|- start-ip
|- end-ip
FortiOS™ Handbook v2
01-420-99686-20101019 17
http://docs.fortinet.com/ • Feedback
18. Registering your Fortinet product
|- fqdn (256)
|- cache-ttl (0,86400)
|- wildcard
|- comment (64 xss)
|- associated-interface (16)
+- color (0,32)
Note that the tree command output also shows the number of characters allowed for other
firewall address name settings. For example, the fully-qualified domain name (fqdn) field
can contain up to 256 characters.
Entering numeric values
Numeric values are used to configure various sizes, rates, numeric addresses, or other
numeric values. For example, a static routing priority of 10, a port number of 8080, or an
IP address of 10.10.10.1. Numeric values can be entered as a series of digits without
spaces or commas (for example, 10 or 64400), in dotted decimal format (for example the
IP address 10.10.10.1) or as in the case of MAC or IPv6 addresses separated by colons
(for example, the MAC address 00:09:0F:B7:37:00). Most numeric values are standard
base-10 numbers, but some fields (again such as MAC addresses) require hexadecimal
numbers.
Most web-based manager numeric value configuration fields limit the number of numeric
digits that you can add or contain extra information to make it easier to add the acceptable
number of digits and to add numbers in the allowed range. CLI help includes information
about allowed numeric value ranges. Both the web-based manager and the CLI prevent
you from entering invalid numbers.
Selecting options from a list
If a configuration field can only contain one of a number of selected options, the
web-based manager and CLI present you a list of acceptable options and you can select
one from the list. No other input is allowed. From the CLI you must spell the selection
name correctly.
Enabling or disabling options
If a configuration field can only be on or off (enabled or disabled) the web-based manager
presents a check box or other control that can only be enabled or disabled. From the CLI
you can set the option to enable or disable.
Registering your Fortinet product
Before you begin configuring and customizing features, take a moment to register your
Fortinet product at the Fortinet Technical Support web site, https://support.fortinet.com.
Many Fortinet customer services, such as firmware updates, technical support, and
FortiGuard Antivirus and other FortiGuard services, require product registration.
For more information, see the Fortinet Knowledge Center article Registration Frequently
Asked Questions.
Fortinet products End User License Agreement
See the Fortinet products End User License Agreement.
FortiOS 4.0 MR2
18 01-420-99686-20101019
http://docs.fortinet.com/ • Feedback
19. Training
Training
Fortinet Training Services provides courses that orient you quickly to your new equipment,
and certifications to verify your knowledge level. Fortinet provides a variety of training
programs to serve the needs of our customers and partners world-wide.
To learn about the training services that Fortinet provides, visit the Fortinet Training
Services web site at http://campus.training.fortinet.com, or email training@fortinet.com.
Documentation
The Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the
most up-to-date versions of Fortinet publications, as well as additional technical
documentation such as technical notes.
In addition to the Fortinet Technical Documentation web site, you can find Fortinet
technical documentation on the Fortinet Tools and Documentation CD, and on the Fortinet
Knowledge Center.
Fortinet Tools and Documentation CD
Many Fortinet publications are available on the Fortinet Tools and Documentation CD
shipped with your Fortinet product. The documents on this CD are current at shipping
time. For current versions of Fortinet documentation, visit the Fortinet Technical
Documentation web site, http://docs.fortinet.com.
Fortinet Knowledge Base
The Fortinet Knowledge Base provides additional Fortinet technical documentation, such
as troubleshooting and how-to-articles, examples, FAQs, technical notes, a glossary, and
more. Visit the Fortinet Knowledge Base at http://kb.fortinet.com.
Comments on Fortinet technical documentation
Please send information about any errors or omissions in this or any Fortinet technical
document to techdoc@fortinet.com.
Customer service and technical support
Fortinet Technical Support provides services designed to make sure that your Fortinet
products install quickly, configure easily, and operate reliably in your network.
To learn about the technical support services that Fortinet provides, visit the Fortinet
Technical Support web site at https://support.fortinet.com.
You can dramatically improve the time that it takes to resolve your technical support ticket
by providing your configuration file, a network diagram, and other specific information. For
a list of required information, see the Fortinet Knowledge Base article FortiGate
Troubleshooting Guide - Technical Support Requirements.
FortiOS™ Handbook v2
01-420-99686-20101019 19
http://docs.fortinet.com/ • Feedback
20. Customer service and technical support
FortiOS 4.0 MR2
20 01-420-99686-20101019
http://docs.fortinet.com/ • Feedback
21. Introduction to authentication
Identifying users and other computers—authentication—is a key part of network security.
This section describes some basic elements and concepts of authentication.
The following topics are included in this section:
• What is authentication?
• Means of authentication
• Types of authentication
• User’s view of authentication
• FortiGate administrator’s view of authentication
What is authentication?
Authentication is the act of confirming the identity of a person or other entity. In the context
of a private computer network, the identities of users or host computers must be
established to ensure that only authorized parties can access the network. The FortiGate
unit provides network access control and applies authentication to users of firewall
policies and VPN clients.
Means of authentication
FortiGate unit authentication is divided into two basic types: password authentication for
people and certificate authentication for hosts or endpoints. An exception to this is that
FortiGate units in an HA cluster and FortiManager units use password authentication.
Password authentication verifies individual user identities, but access to network
resources is based on membership in user groups. For example, a firewall policy can be
configured to permit access only to the members of one or more user groups. Any user
who attempts network access through that policy is then authenticated through a request
for their user name and password.
Local password authentication
The simplest authentication is based on user accounts stored locally on the FortiGate unit.
For each account, a user name and password is stored. The account also has a disable
option so that you can suspend the account without deleting it.
Local user accounts work well for a single-FortiGate installation. If your network has
multiple FortiGate units that will use the same accounts, the use of an external
authentication server can simplify account configuration and maintenance.
You create local user accounts in the web-based manager under User > User. This page is
also used to create accounts where an external authentication server stores and verifies
the password.
Server-based password authentication
Using external LDAP, RADIUS, or TACACS+ authentication servers is desirable when
multiple FortiGate units need to authenticate the same users, or where the FortiGate unit
is added to a network that already contains an authentication server.
FortiOS™ Handbook v2: User Authentication
01-420-122870 -20101019 21
http://docs.fortinet.com/ • Feedback
22. Means of authentication Introduction to authentication
When you use an external authentication server to authenticate users, the FortiGate unit
sends the user’s entered credentials to the external server. The password is encrypted.
The server’s response indicates whether the supplied credentials are valid or not.
You must configure the FortiGate unit to access the external authentication servers that
you want to use. The configuration includes the parameters that authenticate the
FortiGate unit to the authentication server.
You can use external authentication servers in two ways:
• Create user accounts on the FortiGate unit, but instead of storing each user’s
password, specify the server used to authenticate that user. As with accounts that
store the password locally, you add these users to appropriate user groups.
• Add the authentication server to user groups. Any user who has an account on the
server can be authenticated and have the access privileges of the FortiGate user
group. Optionally, when an LDAP server is a FortiGate user group member, you can
limit access to users who belong to specific groups defined on the LDAP server.
Single Sign On authentication using FSAE
“Single sign on” means that users logged on to a computer network are authenticated for
access to network resources through the FortiGate unit without having to enter their user
name and password again. The Fortinet Server Authentication Extension (FSAE) provides
Single Sign On capability for:
• Microsoft Windows networks using either Active Directory or NTLM authentication
• Novell networks, using eDirectory
FSAE monitors user logons and sends the FortiGate unit the user name, IP address, and
the list of Windows AD user groups to which the user belongs. When the user tries to
access network resources, the FortiGate unit selects the appropriate firewall policy for the
destination. If the user belongs to one of the permitted user groups, the connection is
allowed.
For detailed information about FSAE, see “FSAE for integration with Windows AD or
Novell” on page 57.
Certificate-based authentication
An RSA X.509 server certificate is a small file issued by a Certificate Authority (CA) that is
installed on a computer or FortiGate unit to authenticate itself to other devices on the
network. When one party on a network presents the certificate as authentication, the other
party can validate that the certificate was issued by the CA. The identification is therefore
as trustworthy as the Certificate Authority (CA) that issued the certificate.
To protect against compromised or misused certificates, CAs can revoke any certificate by
adding it to a Certificate Revocation List (CRL). Certificate status can also be checked
online using Online Certificate Status Protocol (OCSP).
RSA X.509 certificates are based on public-key cryptography, in which there are two keys:
the private key and the public key. Data encrypted with the private key can be decrypted
only with the public key and vice versa. As the names suggest, the private key is never
revealed to anyone and the public key can be freely distributed. Encryption with the
recipient’s public key creates a message that only the intended recipient can read.
Encryption with the sender’s private key creates a message whose authenticity is proven
because it can be decrypted only with the sender’s public key.
Server certificates contain a signature string encrypted with the CA’s private key. The CA’s
public key is contained in a CA root certificate. If the signature string can be decrypted with
the CA’s public key, the certificate is genuine.
User Authentication for FortiOS 4.0 MR2
22 01-420-122870 -20101019
http://docs.fortinet.com/ • Feedback
23. Introduction to authentication Types of authentication
Certificate authorities
A certificate authority can be:
• an organization, such as VeriSign Inc., that provides certificate services
• a software application, such as Microsoft Certificate Services or OpenSSH
For a company web portal or customer-facing SSL VPN, a third-party certificate service
has some advantages. The CA certificates are already included in popular web browsers
and customers trust the third-party. On the other hand, third-party services have a cost.
For administrators and for employee VPN users, the local CA based on a software
application provides the required security at low cost. You can generate and distribute
certificates as needed. If an employee leaves the organization, you can simply revoke
their certificate.
Certificates for users
FortiGate unit administrators and SSL VPN users can install certificates in their web
browsers to authenticate themselves. If the FortiGate unit uses a CA-issued certificate to
authenticate itself to the clients, the browser will also need the appropriate CA certificate.
FortiGate IPsec VPN users can install server and CA certificates according to the
instructions for their IPsec VPN client software. The FortiClient Endpoint Security
application, for example, can import and store the certificates required by VPN
connections.
FortiGate units are also compatible with some Public Key Infrastructure systems. For an
example of this type of system, see “RSA/ACE (SecurID) servers” on page 37.
Two-factor authentication
Optionally, you can require both a certificate and user name/password authentication.
Certificates are installed on the user’s computer. Also requiring a password protects
against unauthorized use of that computer. Two-factor authentication is available for PKI
users. For more information, see “Two-factor authentication” on page 42.
Types of authentication
Authentication applies to several FortiGate features:
• firewall policies (identity-based policies)
• VPNs
Firewall authentication (or Identity-based policies)
Firewall policies enable traffic to flow between network interfaces. If you want to limit
which users have access to particular resources, you create identity-based firewall
policies that allow access only to members of specific user groups. Authentication, a
request for user name and password, is triggered when a user attempts to access a
resource for which data must pass through an identity-based firewall policy.
The user’s authentication expires if the connection is idle for too long. The Authentication
Timeout setting is in User > Authentication. It has a default timeout of 30 minutes.
FortiOS™ Handbook v2: User Authentication
01-420-122870 -20101019 23
http://docs.fortinet.com/ • Feedback
24. Types of authentication Introduction to authentication
FortiGuard Web Filter override authentication
Optionally, users can be allowed the privilege of overriding FortiGuard Web Filtering to
view blocked web sites. Depending on the override settings, the override can apply to the
user who requested it, the entire user group to which the user belongs, or all users who
share the same web filter profile. As with other FortiGate features, access to FortiGuard
overrides is controlled through user groups. Firewall and Directory Services user groups
are eligible for the override privilege. For more information about web filtering and
overrides, see the UTM chapter of this FortiOS Handbook.
VPN authentication
In IPsec VPNs, there is authentication of the peer device and optionally of the peer user.
Authenticating IPsec VPN peers (devices)
The simplest way for IPsec VPN peers to authenticate each other is through the use of a
preshared key, sometimes also called a shared secret. The preshared key is a text string
used to encrypt the data exchanges that establish the VPN tunnel. The tunnel cannot be
established if the two peers do not use the same key. The disadvantage of preshared key
authentication is that it can be difficult to securely distribute and update the preshared
keys.
RSA X.509 certificates are a better way for VPN peers to authenticate each other. Each
peer offers a certificate signed by a Certificate Authority (CA) which the other peer can
validate with the appropriate CA root certificate. For more information about certificates,
see “Certificate-based authentication” on page 85.
You can supplement either preshared key or certificate authentication by requiring the
other peer to provide a specific peer ID value. The peer ID is a text string configured on
the peer device. On a FortiGate peer or FortiClient Endpoint Security peer, the peer ID
provided to the remote peer is called the Local ID.
Authenticating IPsec VPN users
An IPsec VPN can be configured to accept connections from multiple dynamically
addressed peers. You would do this to enable employees to connect to the corporate
network while traveling or from home. On a FortiGate unit, you create this configuration by
setting the Remote Gateway to Dialup User.
It is possible to have an IPsec VPN in which remote peer devices authenticate using a
common preshared key or a certificate, but there is no attempt to identify the user at the
remote peer. To add user authentication, you can do one of the following:
• require a unique preshared key for each peer
• require a unique peer ID for each peer
• require a unique peer certificate for each peer
• require additional user authentication (XAuth)
The peer ID is a text string configured on the peer device. On a FortiGate peer or
FortiClient Endpoint Security peer, the peer ID provided to the remote peer is called the
Local ID.
Authenticating SSL VPN users
SSL VPN users can be
• user accounts with passwords stored on the FortiGate unit
• user accounts authenticated by an external RADIUS, LDAP or TACACS+ server
User Authentication for FortiOS 4.0 MR2
24 01-420-122870 -20101019
http://docs.fortinet.com/ • Feedback
25. Introduction to authentication User’s view of authentication
• PKI users authenticated by certificate
You need to create a user group for your SSL VPN. Simply create a firewall user group,
enable SSL VPN access for the group, and select the web portal the users will access.
SSL VPN access requires an SSL VPN firewall policy that permits access to members of
your user group.
Authenticating PPTP and L2TP VPN users
PPTP and L2TP are older VPN tunneling protocols that do not provide authentication
themselves. FortiGate units restrict PPTP and L2TP access to users who belong to one
specified user group. Users authenticate themselves to the FortiGate unit by
username/password. You can configure PPTP and L2TP VPNs only in the CLI. Before you
configure the VPN, create a firewall user group and add to it the users who are permitted
to use the VPN. Users are authenticated when they attempt to connect to the VPN. For
more information about configuring PPTP or L2TP VPNs, see the FortiGate CLI
Reference.
User’s view of authentication
The user sees a request for authentication when they try to access a protected resource.
The way in which the request is presented to the user depends on the method of access to
that resource.
VPN authentication usually controls remote access to a private network.
Web-based user authentication
Firewall policies usually control browsing access to an external network that provides
connection to the Internet. In this case, the Fortinet unit requests authentication through
the web browser:
Figure 2: Authentication challenge through a web browser
The user types a user name and password and then selects Continue or Login. If the
credentials are incorrect, the authentication screen is redisplayed with blank fields so that
the user can try again. When the user enters valid credentials, they get access to the
required resource. In some cases, if a user tries to authenticate several times without
success, a message appears, such as: “Too many bad login attempts. Please try again in
a few minutes.”
FortiOS™ Handbook v2: User Authentication
01-420-122870 -20101019 25
http://docs.fortinet.com/ • Feedback
26. FortiGate administrator’s view of authentication Introduction to authentication
Note: After a defined period of user inactivity (the authentication timeout, defined by the
FortiGate administrator), the user’s access expires. The default is 5 minutes. To access the
resource, the user will have to authenticate again.
VPN client-based authentication
A VPN provides remote clients with access to a private network for a variety of services
that include web browsing, email, and file sharing. A client program such as FortiClient
negotiates the connection to the VPN and manages the user authentication challenge
from the Fortinet unit.
FortiClient can store the user name and password for a VPN as part of the configuration
for the VPN connection and pass them to the FortiGate unit as needed. Or, FortiClient can
request the user name and password from the user when the FortiGate unit requests
them.
Figure 3: FortiClient application request for user name and password
SSL VPN is a form of VPN that can be used with a standard Web browser. There are two
modes of SSL VPN operation (supported in NAT/Route mode only):
• web-only mode, for remote clients equipped with a web-browser only
• tunnel mode, for remote computers that run a variety of client and server applications.
Note: After a defined period of user inactivity on the VPN connection (the idle timeout,
defined by the FortiGate administrator), the user’s access expires. The default is 30
minutes. To access the resource, the user will have to authenticate again.
FortiGate administrator’s view of authentication
Authentication is based on user groups. The FortiGate administrator configures
authentication for firewall policies and VPN tunnels by specifying the user groups whose
members can use the resource. Some planning is required to determine how many
different user groups need to be created. Individual user accounts can belong to multiple
groups, making allocation of user privileges very flexible.
A member of a user group can be:
• a user whose user name and password are stored on the Fortinet unit
• a user whose name is stored on the Fortinet unit and whose password is stored on a
remote or external authentication server
User Authentication for FortiOS 4.0 MR2
26 01-420-122870 -20101019
http://docs.fortinet.com/ • Feedback
27. Introduction to authentication FortiGate administrator’s view of authentication
• a remote or external authentication server with a database that contains the user name
and password of each person who is permitted access
The general process of setting up authentication is as follows:
1 If remote or external authentication is needed, configure the required servers.
2 Configure local and peer (PKI) user identities. For each local user, you can choose
whether the Fortinet unit or a remote authentication server verifies the password. Peer
members can be included in user groups for use in firewall policies.
3 Create user groups.
Add local/peer user members to each user group as appropriate. You can also add an
authentication server to a user group. In this case, all users in the server’s database
can authenticate. You can only configure peer user groups through the CLI.
4 Configure firewall policies and VPN tunnels that require authenticated access.
FortiOS™ Handbook v2: User Authentication
01-420-122870 -20101019 27
http://docs.fortinet.com/ • Feedback
28. FortiGate administrator’s view of authentication Introduction to authentication
User Authentication for FortiOS 4.0 MR2
28 01-420-122870 -20101019
http://docs.fortinet.com/ • Feedback